summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-02-19 13:29:14 -0500
committerRob Crittenden <rcritten@redhat.com>2010-03-19 17:17:14 -0400
commitc19911845d93e4cbbf296caf18568231549a3e60 (patch)
tree7215db333db05cefbe712e63f7c99d651afff908 /ipaserver
parent664ae51eb6e76ceb3630687d2ee423f69fb0ba19 (diff)
downloadfreeipa-c19911845d93e4cbbf296caf18568231549a3e60.tar.gz
freeipa-c19911845d93e4cbbf296caf18568231549a3e60.tar.xz
freeipa-c19911845d93e4cbbf296caf18568231549a3e60.zip
Use GSSAPI auth for the ipa-replica-manage list and del commands.
This creates a new role, replicaadmin, so a non-DM user can do limited management of replication agreements. Note that with cn=config if an unauthorized user performs a search an error is not returned, no entries are returned. This makes it difficult to determine if there are simply no replication agreements or we aren't allowed to see them. Once the ipaldap.py module gets replaced by ldap2 we can use Get Effective Rights to easily tell the difference.
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/install/dsinstance.py2
-rw-r--r--ipaserver/install/replication.py20
2 files changed, 21 insertions, 1 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 9a71b7f56..f535b7ba8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -148,6 +148,8 @@ class DsInstance(service.Service):
self.pkcs12_info = None
self.ds_user = None
self.dercert = None
+ self.uidstart = 1100
+ self.gidstart = 1100
if realm_name:
self.suffix = util.realm_to_suffix(self.realm_name)
self.__setup_sub_dict()
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 242352975..a09fb3058 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -38,6 +38,8 @@ TIMEOUT = 120
IPA_REPLICA = 1
WINSYNC = 2
+SASL_AUTH = ldap.sasl.sasl({}, 'GSSAPI')
+
class ReplicationManager:
"""Manage replication agreements between DS servers, and sync
agreements with Windows servers"""
@@ -45,8 +47,13 @@ class ReplicationManager:
self.hostname = hostname
self.dirman_passwd = dirman_passwd
+ # If we are passed a password we'll use it as the DM password
+ # otherwise we'll do a GSSAPI bind.
self.conn = ipaldap.IPAdmin(hostname, port=PORT, cacert=CACERT)
- self.conn.do_simple_bind(bindpw=dirman_passwd)
+ if dirman_passwd:
+ self.conn.do_simple_bind(bindpw=dirman_passwd)
+ else:
+ self.conn.sasl_interactive_bind_s('', SASL_AUTH)
self.repl_man_passwd = dirman_passwd
@@ -98,6 +105,16 @@ class ReplicationManager:
return retval
def find_replication_dns(self, conn):
+ """
+ The replication agreements are stored in
+ cn="$SUFFIX",cn=mapping tree,cn=config
+
+ FIXME: Rather than failing with a read error if a user tries
+ to read this it simply returns zero entries. We need to use
+ GER to determine if we are allowed to read this to return a proper
+ response. For now just return "No entries" even if the user may
+ not be allowed to see them.
+ """
filt = "(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement))"
try:
ents = conn.search_s("cn=mapping tree,cn=config", ldap.SCOPE_SUBTREE, filt)
@@ -465,6 +482,7 @@ class ReplicationManager:
# allow connections using two different CA certs
other_conn = ipaldap.IPAdmin(other_hostname, port=oth_port, cacert=oth_cacert)
try:
+ # For now we always require a password to set up new replica
other_conn.do_simple_bind(binddn=oth_binddn, bindpw=oth_bindpw)
except Exception, e:
if iswinsync: